A new malware that targets banking apps has hit Android devices. Names MysteryBot, the malware packs a banking trojan, keylogger, and ransomware, making it more harmful than any other known recent malware. The malware is similar to LokiBot, which wreaked havoc last year by turning to ransomware when attempted to remove.

MysterBot targets devices running on Android 7 or 8. According to ThreatFabric, who first published a blog post, reported that MysteryBot and LokiBot Android banker are “both running on the same C&C server.”

What makes the malware lethal is its exceptional capabilities to take complete control over users’ devices. Besides having generic Android banking trojan functionalities, MysteryBot exhibits extraordinary overlay, keylogging, and ransomware functionalities.

The malware works on a new overlay technique that exploits a service permission known as PACKAGE USAGE STATS, which allows it to gain access to other permissions without user’s consent.

A keylogger has also been found in the malware. According to the researchers, the keylogger does not use any of the techniques previously known. Instead, “this technique calculates the location for each row and places a View over each key.”

However, the keylogger is still in the development stage as there is no method to send data to C2 server.

MysteryBot’s ransomware component encrypts all files individually in the external storage directory, including every subdirectory, after which the original files are deleted.

“When the encryption process is completed, the user is greeted with a dialog accusing the victim to have watched pornographic material. To retrieve the password and be able to decrypt the files the user is instructed to e-mail the actor on his e-mail address:”

However, MysteryBot is still under development and has not spread yet, which is a relief. It is recommended not to install Android apps from other sources except the Google Play Store to keep your device safe. ThreatFabric added, “most Android banking Trojans seem to be distributed via smishing/phishing & side-loading.”